BreachFlow

Catalin Dragomir, known as 'inthematrixl', breached the Oregon Department of Emergency Management network in June 2021. He exfiltrated personally identifiable information (PII) including names, emails, dates of birth, and passport numbers, and subsequently sold this access and data. His activities led to over $250,000 in losses across multiple U.S. victims.

The ShinyHunters cybercrime group breached Carnival Corporation's IT systems via a social engineering attack on an employee account. This led to the exfiltration of personal information belonging to 5,995,277 customers, including names, dates of birth, email addresses, and loyalty program details, which was subsequently leaked.

Microsoft faced active exploitation of multiple Windows zero-day vulnerabilities, including BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), and MiniPlasma (CVE-2026-45585), affecting components like Defender and BitLocker. The disclosures by researcher Chaotic Eclipse led to 'bad actors' leveraging these flaws, prompting Microsoft to issue urgent security updates.

The ShinyHunters extortion group breached Charter Communications, a major U.S. telecommunications provider, by compromising an employee's Microsoft Entra account via a voice phishing attack. They subsequently exfiltrated customer records from the company's Salesforce instance, claiming to have stolen 40 million records containing names, email addresses, and other customer data.

The Megalodon automated campaign pushed 5,718 malicious commits to 5,561 GitHub repositories, including @tiledesk/tiledesk-server, injecting GitHub Actions workflows with base64-encoded bash payloads. These payloads exfiltrated CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a C2 server. The campaign is linked to broader supply chain attacks by TeamPCP.

Jacob Butler, operating the Kimwolf DDoS botnet (a variant of AISURU), was arrested in Canada for orchestrating DDoS-for-hire attacks. The botnet enslaved IoT devices like digital photo frames and web cameras, using them to launch over 25,000 attack commands against various targets, including Department of Defense Information Network (DoDIN) IP addresses.

The Belarus-aligned threat actor Ghostwriter (UAC-0057/UNC1151) targeted Ukrainian government entities with phishing emails using lures related to the Prometheus online learning platform. The attack deployed OYSTERFRESH, OYSTERBLUES, and OYSTERSHUCK malware to harvest system information and establish Cobalt Strike for post-exploitation activities.

China-backed APT group Webworm targeted governmental organizations in Europe, including Belgium, Italy, Serbia, Spain, and Poland, between early 2024 and early 2025. They used custom backdoors EchoCreep and GraphWorm for command and control via Discord and Microsoft Graph API, along with SOCKS proxies like SoftEther VPN for stealthy communication and espionage.